Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INV NO -609983773 60983768.exe

Overview

General Information

Sample Name:INV NO -609983773 60983768.exe
Analysis ID:715073
MD5:4e06d9889629e7ff0faba3b139dcc950
SHA1:11db4a20ec8fc4a88bc5b75dc5de730e719b9f57
SHA256:341b6ff76b63e3e74b8fd97b301462f9a6544405946271b7766c4ff4c8c28150
Tags:exe
Infos:

Detection

Remcos
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
.NET source code references suspicious native API functions
Machine Learning detection for sample
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • INV NO -609983773 60983768.exe (PID: 6048 cmdline: C:\Users\user\Desktop\INV NO -609983773 60983768.exe MD5: 4E06D9889629E7FF0FABA3B139DCC950)
    • RegAsm.exe (PID: 5168 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • RegAsm.exe (PID: 6140 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • RegAsm.exe (PID: 6096 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • RegAsm.exe (PID: 6112 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
    • RegAsm.exe (PID: 6116 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)
  • cleanup
{"Version": "3.8.0 Pro", "Host:Port:Password": "172.111.234.110:5888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7I9HK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
    • 0x68438:$a1: Remcos restarted by watchdog!
    • 0x68990:$a3: %02i:%02i:%02i:%03i
    • 0x68d15:$a4: * Remcos v
    00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x1b83c0:$a1: Remcos restarted by watchdog!
      • 0x1b8918:$a3: %02i:%02i:%02i:%03i
      • 0x1b8c9d:$a4: * Remcos v
      Process Memory Space: INV NO -609983773 60983768.exe PID: 6048JoeSecurity_RemcosYara detected Remcos RATJoe Security
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewerdetects Windows exceutables potentially bypassing UAC using eventvwr.exeditekSHen
          • 0x60100:$s1: \Classes\mscfile\shell\open\command
          • 0x60160:$s1: \Classes\mscfile\shell\open\command
          • 0x60148:$s2: eventvwr.exe
          0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpackWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x661e0:$a1: Remcos restarted by watchdog!
          • 0x66738:$a3: %02i:%02i:%02i:%03i
          • 0x66abd:$a4: * Remcos v
          0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpackREMCOS_RAT_variantsunknownunknown
          • 0x611e4:$str_a1: C:\Windows\System32\cmd.exe
          • 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
          • 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
          • 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
          • 0x6020c:$str_b2: Executing file:
          • 0x61328:$str_b3: GetDirectListeningPort
          • 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
          • 0x60e30:$str_b7: \update.vbs
          • 0x60234:$str_b9: Downloaded file:
          • 0x60220:$str_b10: Downloading file:
          • 0x602c4:$str_b12: Failed to upload file:
          • 0x612f0:$str_b13: StartForward
          • 0x61310:$str_b14: StopForward
          • 0x60dd8:$str_b15: fso.DeleteFile "
          • 0x60d6c:$str_b16: On Error Resume Next
          • 0x60e08:$str_b17: fso.DeleteFolder "
          • 0x602b4:$str_b18: Uploaded file:
          • 0x60274:$str_b19: Unable to delete:
          • 0x60da0:$str_b20: while fso.FileExists("
          • 0x60749:$str_c0: [Firefox StoredLogins not found]
          0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 11 entries
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: INV NO -609983773 60983768.exeVirustotal: Detection: 9%Perma Link
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR
            Source: INV NO -609983773 60983768.exeJoe Sandbox ML: detected
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpackMalware Configuration Extractor: Remcos {"Version": "3.8.0 Pro", "Host:Port:Password": "172.111.234.110:5888", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-O7I9HK", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----
            Source: INV NO -609983773 60983768.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: Malware configuration extractorURLs: 172.111.234.110
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://fsf.org/
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://itextpdf.com/terms-of-use/
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://www.gnu.org/licenses
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://www.gnu.org/licenses/
            Source: INV NO -609983773 60983768.exeString found in binary or memory: http://www.gnu.org/licenses/gpl-faq.html#FontException
            Source: INV NO -609983773 60983768.exeString found in binary or memory: https://opensource.bulkpdf.de/
            Source: INV NO -609983773 60983768.exeString found in binary or memory: https://opensource.bulkpdf.de/Whttps://opensource.bulkpdf.de/documentation
            Source: INV NO -609983773 60983768.exeString found in binary or memory: https://opensource.bulkpdf.de/documentation

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR

            System Summary

            barindex
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPEMatched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
            Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
            Source: INV NO -609983773 60983768.exeStatic PE information: No import functions for PE file found
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
            Source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
            Source: INV NO -609983773 60983768.exeBinary or memory string: OriginalFilename vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.242964715.0000013DA2109000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000000.237710745.0000013DA1F42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBulkPDF.exe0 vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exe, 00000000.00000002.243176170.0000013DA2420000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exeBinary or memory string: OriginalFilenameBulkPDF.exe0 vs INV NO -609983773 60983768.exe
            Source: INV NO -609983773 60983768.exeVirustotal: Detection: 9%
            Source: INV NO -609983773 60983768.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: INV NO -609983773 60983768.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\INV NO -609983773 60983768.exe C:\Users\user\Desktop\INV NO -609983773 60983768.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\INV NO -609983773 60983768.exe.logJump to behavior
            Source: classification engineClassification label: mal76.troj.evad.winEXE@11/1@0/0
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: INV NO -609983773 60983768.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: INV NO -609983773 60983768.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeCode function: 0_2_00007FFDC3A1000A push fs; ret 0_2_00007FFDC3A1004B
            Source: initial sampleStatic PE information: section name: .text entropy: 7.3605775158149305
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exe TID: 5164Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: INV NO -609983773 60983768.exe, BIDEN_HARRISu003du003e1housand/BIDEN_HARRISu003du003eFollo8ing.csReference to suspicious API methods: ('BIDEN_HARRIS=>6housand', 'VirtualProtect@kernel32.dll'), ('BIDEN_HARRIS=>Contra3t', 'GetProcAddress@kernel32.dll'), ('BIDEN_HARRIS=>Loa8', 'LoadLibrary@kernel32.dll')
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeQueries volume information: C:\Users\user\Desktop\INV NO -609983773 60983768.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INV NO -609983773 60983768.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db409f9a8.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3eafa58.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db407f970.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV NO -609983773 60983768.exe.13db3f8fb00.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.244325962.0000013DB3EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.245237358.0000013DB3F8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV NO -609983773 60983768.exe PID: 6048, type: MEMORYSTR
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Native API
            Path Interception11
            Process Injection
            1
            Masquerading
            OS Credential Dumping1
            Process Discovery
            Remote Services1
            Archive Collected Data
            Exfiltration Over Other Network Medium1
            Application Layer Protocol
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools
            LSASS Memory21
            Virtualization/Sandbox Evasion
            Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion
            Security Account Manager12
            System Information Discovery
            SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Software Packing
            NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Process Injection
            LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common2
            Obfuscated Files or Information
            Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet